By default, Snort logs in a decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods, such as fast, full, console, or none.

To produce less output, you can use the fast alert mode with the -A fast command-line option:

[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast

The -d command-line option logs application-layer information and -e logs data link-layer information. The output then looks like the following:

If you are using unified logging and the Barnyard output utility, you can also log alerts by using the alert_fast output plug-in. Barnyard takes the log processing load off of the Snort engine. Barnyard processing is controlled by input processors and output plug-ins. Chapter 5 contains more information. The following example is from the /etc/barnyard.conf file:

The Snort output passes to the Barnyard utility via the unified logging plug-in. By default, Barnyard processes the output and logs the alerts to the /var/log/snort/fast_output file. The output looks like the following: